Pp200 solution-TCP stack cache for socket Replay

From: syc

 

Using socket multiplexing to achieve pp200

However, this method is a little bloated ~

This method is also basically used by outsiders outside China.

However, there are still better methods to be discussed later

This is a method used by me and other people.

00000000 89EE mov esi, ebp; get new buffer address

00000002 68FF000000 push dword 0xff; len

00000007 56 push esi; buffer address

00000008 FF7508 push dword [ebp + 0x8]; socket fd

10000000b BB04110508 mov ebx, 0x8051104; ebx = readAll () address

00000010 FFD3 call ebx; call readAll ()-> recv ()

00000012 FFD6 call esi; call buffer shellcode

Ebp + 0x8 is the socket fd that has been bound () by this program.

So you just need to catch it and use it again.

The program calls readAll (fd, buffer, 73) once)

Gets the buffer very narrow. bind () shellcode cannot pass.

I used a lightweight shellcode to call it.

Call readAll again (fd, buffer, 255)

In this way, the breakthrough point is torn apart by a bigger mouth.

Allows it to receive 255 bytes

At the beginning, I wrote send () twice in a python script ()

First send () my socket copy () shellcode

The second send () My bind () shellcode

However, it seems that the bind () shellcode has not been called after sending ().

I used gdb for debugging and found that after the second call of readAll (fd, buffer, 255 ),

Then, the first part of socket copy () shellcode that exceeds 73 bytes is directly run: 0x42 0x42 0x42 0x0A = ~

Probably I understand. Actually, shellcode is completely beaten once.

Only recv () receives 73 bytes

More than 73 bytes are temporarily stored in the TCP stack cache.

I also consulted xi4oyu for confirmation.

When I call readAll (fd, buffer, 255) for the second time

In fact, the recv () function directly captures data from the TCP stack cache.

It's not the second data I sent () using python.

Therefore, you only need to use python send () to send data once.

The format for sending () is as follows:

Socket copy () shellcode + nops | (more than 73 bytes) + nops + bind () shellcode

The effect is as follows:

Bytes ----------------------------------------------------------------------------------------------------------

Another easier and more lightweight method is dup exec taught by xi4oyu.

Pseudocode is like this.

Dup (fd, 0)

Dup (fd, 1)

Exec ("/bin/sh ")

This means to redirect both the standard input and standard output to the socket fd.

In this way, when the shell is started again

In fact, from a local standard input and output bash shell to a rebound bash shell that interacts with the network .......

The system call number of dup () is also being tested.

After the image is ready, upload the image =. = ~